12-07-2015 10:45 PM
Hi,
I have the following settings , for a vpn tunnel
group-policy Gpo_VPN internal
group-policy Gpo_VPN attributes
wins-server none
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACL
nat (Inside,any) source static 192.168.1.10 192.168.1.10 destination static VPN-A VPN-A
nat (Inside,any) source static 192.168.1.50 192.168.1.50 destination static VPN-A VPN-A
nat (Inside,any) source static 192.168.1.20 192.168.1.20 destination static VPN-A VPN-A
access-list VPN-ACL extended permit ip host 192.168.1.50 object VPN-A
access-list VPN-ACL extended permit ip host 192.168.1.20 object VPN-A
The issue even i am not permitted 1.10 in th ACL ,stil i am getting reply once connected to vpn
Thank you
12-10-2015 05:05 PM
Hi elite2010,
Make sure your are connected to the right group-policy, you can use the command "Show vpn-sessionsdb anyconnect "
Hope it helps
-Randy-
12-17-2015 07:41 AM
Hi,
Hi,
As per the access list i should have access only to the network 192.168.100.0.
Then but i got access to another one server (192.168.101.10)which is in another network .
made sure users connected using the right policy .
Then changed address pool value of group policy GP-NOACCESS as below
address-pools value VPN_POOL ( before it was inherting )
After changing address pool value, i lost the access to the server 192.168.110.10
But still vpn client shows there is route to the server 192.168.110.10
c:\ route print
network destination netmask gateway interface
192.168.100.0 255.255.255.0 172.16.100.12 172.16.100.11
192.168.110.10 255.255.255.255 172.16.100.12 172.16.100.11
Why it still shows in route table of client ?
What happens the address pool value changed
i followed the below doc from cisco
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
configurations are below
ip local pool VPN_POOL 172.16.100.10-172.16.1.254 mask 255.255.255.0
access-list VPNAcl standard permit 192.168.100.0 255.255.255.0
nat (Inside,Outside) source static SERVERS SERVERS destination static N_OBJ_172.16.100.10_24 N_OBJ_172.16.100.10_24 no-proxy-arp route-lookup
aaa-server ldapgroup protocol ldap
aaa-server ldapgroup (Inside) host DOMAIN-IP
ldap-base-dn DC=company ,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpnconnect ,OU=MYOU,DC=company,DC=local
server-type microsoft
ldap-attribute-map MAPUSER
created NoACCESS group
-----------------------------------------------------------------
group-policy GP-NOACCESS internal
group-policy GP-NOACCESS attributes
banner value test
dns-server value x.x.x.x
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
default-domain value
address-pools value VPN_POOL
Created A tunnel group set default group policy as GP-NOACCESS
-----------------------------------------------------------
tunnel-group VPNTG type remote-access
tunnel-group VPNTG general-attributes
address-pool VPN_POOL
authentication-server-group ldapgroup
default-group-policy GP-NOACCESS
tunnel-group VPNTG webvpn-attributes
group-alias VPNTG enable
Then Created Another group policy
group-policy GP-ACCESS internal
group-policy GP-ACCESS attributes
wins-server none
dns-server value DOMAINIP
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACL
default-domain value
split-tunnel-all-dns disable
atlast mapped
ldap attribute-map MAPUSER
map-name memberOf Group-Policy
map-value memberOf "CN=FINANCE,OU=MYOU,DC=company ,DC=local" GP
Thanks
12-17-2015 03:49 PM
Is the entry 192.168.110.10 , still present even with the VPN disconnected ? Based on the mask looks like this might be an static entry created on the PC.
-Randy-
12-18-2015 06:55 AM
Hi,
The route is visible only when vpn is conencted ,
Why gateway shows 172.16.100.12
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide